For Office 365 and Azure AD Auditing

NOTE: The product supports Azure Active Directory version provided within Microsoft Office 365.

Starting with version 9.96, Netwrix Auditor allows you to audit Office 365 organizations that have established modern authentication as their identity management approach, including support for multi-factor authentication (MFA). To learn more about modern authentication, refer to Microsoft documentation.

NOTE: Support for modern authentication is provided only in Netwrix Auditor 9.96 and higher. Earlier versions support basic authentication only.

In this scenario, Netwrix Auditor will access the cloud-based infrastructure via Microsoft Graph and other modern APIs, being authenticated through a pre-configured Azure AD application with appropriate access permissions. So, you should register an Azure AD app (manually, as described in this chapter) and provide its settings to Netwrix Auditor when configuring a monitored item.

In some scenarios, however, multi-factor authentication cannot be enabled for Netwrix Auditor service account. If so, you will need to configure an account with basic authentication to access Azure AD/Office 365 organization.

Modern authentication

Support for modern authentication will allow you to audit the organizations where:

  • MFA is enabled for all users, including service accounts

-OR-

  • Basic authentication is not allowed for any account

With modern authentication set up, Netwrix Auditor will collect the following data from the cloud-based infrastructure:

  • Azure AD — activity data
  • Exchange Online — activity data
  • SharePoint Online — activity data, state-in-time data

Required configuration procedure includes several manual steps, as described in the corresponding sections:

NOTE: To collect data on the non-owner mailbox access, additional configuration steps are required. See Settings for non-owner mailbox access audit: automatic configuration or Settings for non-owner mailbox access audit: manual configuration.

Basic authentication

If multi-factor authentication cannot be enabled for Netwrix Auditor account, you can instruct the solution to use basic authentication when accessing the Azure AD/Office 365 organization. In this scenario, you can benefit from the fully automated configuration steps, including automatic Azure AD app registration.

Netwrix Auditor will collect the following data from related data sources:

  • For Azure AD — activity data
  • For Exchange Online — activity data, state-in-time data
  • For SharePoint Online — activity data, state-in-time data

Required configuration steps are described in the corresponding sections:

So, before you start auditing the Azure AD/Office 365 tenant, plan for the account that will be used for data collection from the cloud-based infrastructure. You will need to provide this account in the monitored item (Office 365 Tenant) settings.